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THE MAILING DATE OF THIS COMMUNICATION. 

• Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 
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earned patent tenm adjustment. See 37 CFR 1.704(b). 
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2a)S This action is FINAL. 2b)n This action is non-final. 
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?)□ Claim(s) is/are objected to. 
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Replacement drawing sheet(s) including the correction Is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
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DETAILED ACTION 

1 . This action is in reply to applicant's correspondence of 16 April 2004, 

2. Claims 1,2,4-23 are pending for examination. 

3. Claims 1,2,4-23 are rejected. 

Specification 

4. The disclosure is objection dealing with various informalities is withdrawn. 

Claim Rejections - 35 USC §102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed pubhcation in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of appUcation for patent in the United States. 

5. Claims 1,2,4-23 are rejected under 35 U.S.C. 102(b) as being anticipated by Maloney et 
al, U.S. Patent 6,269,447 Bl. 

6. As per claim 1; "A system for detecting intrusions [ABSTRACT, col. l,lines 20-31,40- 
50, col. 2,lines 12-14,34-40, col. 3,lines 1-14, col. 12,lines 21-35], comprising: an analysis 
engine [col. 2,lines 41-47, col. 3,lines 28-32, col. 4,lines 43-50, col. 5,lines 54-62, col. 7,lines 7- 
12]; and at least one sensor, configured to communicate with the analysis engine using at least 
one meta-protocol under which a 4-tuple is used to represent a data item to be sent to the analysis 
engine for analysis: wherein the 4-tuple represents the data item in a manner that enables the 
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analysis engine to receive and use the data item regardless of how the data item is represented 
and organized on a platform associated with the sensor [figure 2 (meta data reference, and 
network addressing/database entry referencing parameters), col. 1, lines 54-col. 2,line 10, col. 
2,lines 16-33,48-50('deriving generic structure' reference), col. 4,lines 15-22,34-37, col. 5, lines 
24-28,39-52,63-67, col. 6,Iines 38-44, col. 8,lines 27-34, col. 9,lines 24-30,47-50,54-58, col. 
ll,lines47-col. 12,line2]."; 

And further as per claim 22; "A method for detecting intrusions [This claim is the method 
of the apparatus (system) claim 1, and is rejected for the same reasons provided for the claim 1 
rejection above], comprising the steps of providing an analysis engine; providing at least one 
sensor; and defining a meta-protocol including a 4-tuple for communication between the analysis 
engine and the at least one sensor; wherein the 4-tuple represents a data item to be sent to the 
analysis engine for analysis in a manner that enables the analysis engine to receive and use the 
data item regardless of how the data item is represented and organized on a platform associated 
with the sensor ": 

And further as per claim 23; "A computer program product for detecting intrusions on a 
host [This claim is the embodied in software method of the method claim 22, and is rejected for 
the same reasons provided for the claim 22 rejection above], the computer program product 
being embodied in a computer readable medium having machine readable code embodied therein 
for performing the steps of providing an analysis engine; providing at least one sensor; and 
defining a meta-protocol including a 4-tuple for communication between the analysis engine and 
the at least one sensor; wherein the 4-tuple represents a data item to be sent to the analysis engine 
for analysis in a manner that enables the analysis engine to receive and use the data item 
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regardless of how the data item is represented and organized on a platform associated with the 
sensor ". 

7. Claim 2 additionally recites the limitations that "The system as recited in claim 1, 
wherein the meta-protocol includes a data packet, and the data packet includes the 4-tuple. 
The teachings of Maloney et al (figure 2 (meta data reference, and network addressing/database 
entry referencing parameters)) suggest such limitations; 

8. Claim 4 additionally recites the limitations that "The system as recited in claim i, 
wherein the 4-tuple comprises a semantic type, data type, data type size, and value of the data 
item". The teachings of Maloney et al (figure 2 (meta data reference, and network 
addressing/database entry referencing parameters), and figure 4 (i.e., the address, password, user, 
etc., parameters represent the equivalent)) suggest such limitations; 

9. Claim 5 additionally recites the limitations that "The system as recited in claim. 4, 
wherein the analysis engine is configured to use the data item to detect an intrusion.". The 
teachings of Maloney et al (ABSTRACT, col. l,lines 20-31,40-50, col. 2,lines 12-14,34-40, col. 
3,lines 1-14, col. 12,lines 21-35) suggest such limitations; 

10. Claim 6 additionally recites the limitations that "The system as recited in claim. 1, 
wherein the at least one sensor is configured to communicate with the analysis engine using a 
plurality of meta-protocols.". The teachings of Maloney et al (figure 2 (meta data reference, and 
network addressing/database entry referencing parameters), col. 1, lines 54-col. 2,line 10, col. 
2,lines 16-33,48-50(' deriving generic structure' reference), col. 4,lines 15-22,34-37, col. 5,lines 
24-28,39-52,63-67, col. 6,lines 38-44, col. 8,lines 27-34, col. 9,lines 24-30,47-50,54-58, col. 

1 1, lines 47-col. 12,Une 2) suggest such limitations; 
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11. Claim 7 additionally recites the limitations that "The system as recited in claims 6, 
wherein each of the plurality of meta-protocols includes a 4-tuple The teachings of Maloney 
et al (figure 2 (meta data reference, and network addressing/database entry referencing 
parameters), col. l,lines 54-col. 2,line 10, col. 2,lines 16-33,48-50C deriving generic structure' 
reference), col. 4,lines 15-22,34-37, col. 5,lines 24-28,39-52,63-67, col. 6,lines 38-44, col. 8,lines 
27-34, col. 9,lines 24-30,47-50,54-58, col. 1 l,Unes 47-col. 12,line 2) suggest such limitations; 

12. Claim 8 additionally recites the limitations that "The system as recited in claim 6, 
wherein the analysis engine is configured to invoke the at least one sensor and specify a set of 
meta-protocols supported by the analysis engine, and wherein the at least one sensor is 
configured to select a meta-protocol fi-om the set.". The teachings of Maloney et al (col. 8,lines 
19-26, col. 5,lines 24-30 (such that the configuration of the system would inherently encompass 
configuration of the sensor subsystem, such as the communications protocols (data and meta data 
levels), col. 8,lines 34-40, col. 9,lines 55-60) suggest such limitations; 

13. Claim 9 additionally recites the limitations that "The system as recited in claim 8, 
wherein the set is a null set, and the at least one sensor is configured to use a default protocol.". 
The teachings of Maloney et al (col. 8,Hnes 19-26, col. 5,lines 24-30 (such that the configuration 
of the system would inherently encompass configuration of the sensor subsystem, such as the 
communications protocols (data and meta data levels, including active, initialized, defauh (i.e., 
null set specified), and degraded states (i.e., figure 3, 'promiscuous mode' reference), col. 8,lines 
34-40, col. 9,lines 55-60) suggest such Umitations; 

14. Claim 10 additionally recites the limitations that "The system as recited in claim 7, 
wherein the analysis engine is configured to specify a set of semantic codes representing data 
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being requested by the analysis engine.". The teachings of Maloney et al (figure 2 (meta data 
reference, and network addressing/database entry referencing parameters), col. 1, lines 54-col- 
2,line 10, coL 2,lines 1 6-3 3, 48-50(' deriving generic structure' reference), col. 4,lines 15-22,34- 
37, col. 5,lines 24-28,39-52,63-67, col. 6,lines 38-44, col. 8,lines 27-34, col. 9,lines 24-30,47- 
50,54-58, col. 1 l,lines 47-col. 12,hne 2, figure 4 references to the various applications, and 
password types (i.e., FTP versus WWW versus P0P3, etc.)) suggest such limitations; 

15. Claim 1 1 additionally recites the limitations that "The system as recited in claim 10, 
wherein the at least one sensor is configured to supply data associated with the semantic codes, 
and wherein the at least one sensor further supplies data not associated with the semantic 
codes.". The teachings of Maloney et al (col. 8,lines 19-26, col. 5,lines 24-30 (such that the 
configuration of the system would inherently encompass configuration of the sensor subsystem, 
such as the communications protocols (data and meta data levels, including active, initialized, 
default (i.e., null set specified), and degraded states (i.e., figure 3, 'promiscuous mode' reference 
would encompass allowing data transfer of specified and non-specified types (i.e., semantic 
specification) of data as per a given specified or selected (meta) protocol), col. 8,lines 34-40, col. 
9,lines 8-14,55-60) suggest such Umitations; 

16. Claim 12 additionally recites the limitations that "The system as recited in claim 11, 
wherein the analysis engine is configured to disregard the data not associated with the semantic 
codes.". The teachings of Maloney et al (col. 8,lines 19-26, col. 5,lines 24-30 (such that the 
configuration of the system would inherently encompass configuration of the sensor subsystem, 
such as the communications protocols (data and meta data levels, including active, initialized, 
default (i.e., null set specified), and degraded states (i.e., figure 3, 'promiscuous mode' reference 



Application/Control Number: 09/651,303 Page 7 

Art Unit: 2136 

would encompass allowing data transfer of specified and non-specified types (i.e., semantic 
specification) of data as per a given specified or selected (meta) protocol. Further, as per figures 
2,3,5 the visual representation of said disregarded data (as well as 'regarded' data) would 
encompass the associated {disregarded) data), col. 8, lines 34-40, coL 9,lines 8-14,55-60) suggest 
such limitations; 

17. - Claim 13 additionally recites the limitations that "The system as recited in claim 10, 
wherein the set of semantic codes is a null set, and the at least one sensor is configured to use a 
default set of semantic codes.". The teachings of Maloney et al (col. 8,lines 19-26, col 5,Unes 
24-30 (such that the configuration of the system would inherently encompass configuration of 
the sensor subsystem, such as the communications protocols {semantic (i.e., type) of data, the 
actual data, and meta data levels, including active, initialized, default (i.e., null set specified), and 
degraded states (i.e., figure 3, 'promiscuous mode' reference), col. 8,lines 34-40, col. 9,Unes 55- 
60) suggest such limitations; 

18. Claim 14 additionally recites the limitations that "The system as recited in claim 1, 
wherein the analysis engine is located on a first host and an instance of the at least on,; sensor is 
located on a second host apart fi*om the first host. ". The teachings of Maloney et al (figure 2, 
and associated description, col. 2,lines 15-33) suggest such limitations; 

19. Claim 15 additionally recites the limitations that "The system as recited in claim, 14, 
comprising a second instance of the at least one sensor, wherein the second instance is located on 
a host apart fi-om the second host.". The teachings of Maloney et al (figure 2, and associated 
description, col. 2,lines 15-33, col. 5,lines 34-38, col. 6,lines 33-38, col. 7,lines 22-24) suggest 
such Hmitations; 
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20. Claim 16 additionally recites the limitations that "The system as recited in claim 1, 
wherein the at least one sensor includes a sensor collector in communication with the analysis 
engine.". The teachings of Maloney et al (col. 8, lines 19-26, col. 5,lines 24-30 (such that the 
configuration of the system would inherently encompass configuration of the sensor subsystem, 
such as the communications protocols (data and meta data levels), and sensor routing of 
collection functions (i.e., figure 3), col. 8,lines 34-40, col. 9,lines 55-60) suggest such 
limitations; 

21. Claim 17 additionally recites the Umitations that "The system as recited in claim 1, 
further comprising a sensor collector disposed in a communication path between the analysis 
engine and the at least one sensor.". The teachings of Maloney et al (col. 8,Hnes 19-26, col. 
5,lines 24-30 (such that the configuration of the system would inherently encompass 
configuration of the sensor subsystem, such as the communications protocols (data and meta data 
levels), and sensor routing of collection fijnctions (i.e., figure 3, configuration of sensor 
manager), col. 8,lines 34-40, col. 9,lines 55-60) suggest such limitations; 

22. Claim 18 additionally recites the limitations that "The system as recited in claim 1, 
wherein the analysis engine is configured to load a rule set while the analysis engine is in 
operation.". The teachings of Maloney et al (col. 4,lines 20-33, col. 5,lines 7-17,33-53, col. 
6,lines 45-59, col. 7,lines 7-34, col. 8,lines 34-50, col. 9,lines 9-14,37-41, col. ll,lines 1-5, col. 
12,lines 21-34) suggest such Umitations; 

23. Claim 19 additionally recites the limitations that "The system as recited in claim 1, 
fiirther comprising a second sensor, and wherein the analysis engine is configured to load a rule 
set for the second sensor while the analysis engine is in operation.". The teachings of Maloney 
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et al (col. 4,lines 20-33, col. 5,lines 7-17,33-53, col 6,lines 45-59, coL 7,lines 7-34, col. 8,lines 
34-50, col. 9,lines 9-14,37-41, coL 1 l,lines 1-5, col. 12,lines 21-34, figure 2, and associated 
description, col. 2,lines 15-33, col. 6,lines 33-38) suggest such limitations; 

24. Claim 20 additionally recites the limitations that "The system as recited in claim 19, 
wherein the rule set is configured to specify interactions of data from the second sensor with data 
from the at least one sensor.". The teachings of Maloney et al (col. 4,lines 20-33, coL 5,lines 7- 
17,33-53, col. 6,lines 45-59, col 7,lines 7-34, coL 8,lines 34-50, col. 9,lines 9-14,37-41, col. 
ll,lines 1-5, col. 12,lines 21-34, figure 2, and associated description, col 2,lines 15-33, col. 
6,lines 33-38) suggest such limitations; 

25. Claim 21 additionally recites the limitations that "The system as recited in claims 20, 
wherein the analysis engine is configured to ignore rules in the rule set that specify data not 
supplied by any sensor.". The teachings of Maloney et al (col. 4,lines 20-33, coL 5,lines 7- 
17,33-53, coL 6,lines 45-59, col. 7,lines 7-34, col. 8,lines 34-50, col. 9,lines 9-14,37-60, col. 
ll,lines 1-5, col. 12,lines 21-34, figure 2, and associated description, coL 2,lines 15-33, col. 
6,lines 33-38,mmmm, col. 8,lines 19-26, col. 5,lines 24-30 (such that the configuration of the 
system would inherently encompass configuration of the sensor subsystem, such as the 
communications protocols, and rules criteria (data and meta data levels, including active, 
initialized, default (i.e., null set specified), and degraded states (i.e., figure 3, 'promiscuous 
mode' reference would encompass allowing data transfer and the rules governing such transfer, 
of specified and non-specified types (i.e., semantic specification) of data as per a given specified 
or selected (meta) protocol. Further, as per figures 2,3,5 the visual representation of said 
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disregarded data (as well as 'regarded' data) would encompass the associated {disregarded) 
data)) suggest such limitations; 

Response to Amendment 

26. As per applicant's argument concerning Maloney et al not teaching or specifically not 
suggesting the claim elements involved with using a "4-tuple" to represent the data from the 
sensor to the analysis engine, the examiner has fiilly considered the arguments and finds them 
not to be persuasive. The qualifier "suggests" also encompasses the interpretation of the claim 
language as broadly interpreted by the examiner^ which would be proper under 35 USC 102 (and 
'103 for that matter). 

Further, the Maloney et al "generic structure", as broadly interpreted by the examiner, 
could encompass data structures as simple as 8 bit byte data, or as complex as instantiated 
objects of any arbitrarily defined class, such that the "4-tuple" as recited in the claim language in 
claims 1,22 and 23, would be taught or suggested by the Maloney et al reference. 

27. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
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CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 



28. Any inquiry concerning this communication or earlier communications from examiner 
should be directed to Ronald Baum, whose telephone number is (703) 305-4276. The examiner 
can normally be reached Monday through Friday from 8:00 AM to 5:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu, can be reached at (703) 305-4393. The Fax number for the organization 
where this appUcation is assigned is 703-872-9306. 

Ronald Baum 

Patent Examiner ^ 



Conclusion 



'ayaz sheikh 

SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 




